Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI).

The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline.

The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare organizations can adopt cybersecurity frameworks, create layered defenses to keep their networks secure, provide security awareness training to employees, and adopt cybersecurity best practices, yet still experience a data breach.

OCR has already made it clear that its area of focus for enforcement is egregious violations of HIPAA Rules, such as widespread noncompliance and HIPAA-covered entities that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be issued.

It has been argued that entities that have made reasonable efforts to keep patient information private and confidential should not be at risk of significant penalties.

CHIME suggested OCR should create “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare organizations that experience cyberattacks should be provided with support and resources, and rather than punishing the breached entity, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare organizations take significant steps to prevent successful cyberattacks. The AHA said that when an attack occurs, an investigation is necessary to determine how access to systems and data was gained. Lessons can be learned, safeguards improved, and details of the vulnerabilities and threats should then be shared widely to allow other healthcare organizations to prevent similar attacks.

The AHA suggested there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA suggests that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also suggests that OCR should change its approach to securing health information from issuing penalties for failures to providing positive incentives to encourage healthcare organizations to improve security and better protect health information.

CHIME stated that the current policy that calls for breaches to be reported and listed on the OCR breach portal in perpetuity is unduly punitive and that there should be a mechanism for removing breached entities from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now assessing all comments and feedback received in relation to its RFI and will determine which aspects of HIPAA Rules should be changed. A notice of proposed rulemaking will then be issued, although the HSS has not provided a time frame for doing so.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.